At our school district, we run a 2 node HA array of Fortinet FG-900D. These run great, but are starting to get old. This is the data sheet on the FG-900D’s. https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiGate_900D.pdf
We use SSL packet inspection to aid in content filtering.
Is it too much of a stretch to expect the same or better performance if we replace these with NetGate appliances or enterprise grade servers running pfSense Plus?
If you are using SSL decrypt I wouldn’t consider using pfSense since the overhead to setup and maintain policies is a lot. Fortinet and Palo Alto are the ones I would consider.
Fortigates have so many CVE’s they haven’t cleaned up and continue to ignore them over years. The company I work for replaced 15+ fortigates with netgate appliances (pfsense).
I’d also argue that SSL inspection should be done at the endpoint level and not at the firewall.
I think SSL inspection really should be done on both endpoints and the firewall if you are looking for the best protection, but if I had to choose one it would be the firewall. I say this because a compromised system can bypass the endpoint software, but not the firewall. As for the certs, most internal issued ones are usually for a few years so not really that often. And for remote users, I would setup full tunnel connections.